You don't need the two sets of tunnels you have - you can ssh to one machine and tunnel out of it into another machine. Answer updated to include that.
–
EightBitTonyAug 23 '11 at 18:13

What's the point of redirecting ports 1099? Could you precise whether bastion-host can connect to server1 and server2 without a firewall being involved?
–
Stéphane GimenezAug 24 '11 at 16:27

Have you tried using the most simple option, at the bottom of my answer, and if so, what error / problem did it give?
–
EightBitTonyAug 24 '11 at 17:32

@EightBitTony - Unfortunately this wont work, since rmi opens a random port once connection is established. The purpose of the -D option is to tell the rmi server what port it should use. However, I can only specify the SOCKS proxy port once in visualvm, and my 2 tunnels cannot share the -D option.
–
toolkitAug 24 '11 at 19:41

2 Answers
2

-D [bind_address:]port
Specifies a local “dynamic” application-level port forwarding.
This works by allocating a socket to listen to port on the local
side, optionally bound to the specified bind_address. Whenever a
connection is made to this port, the connection is forwarded over
the secure channel, and the application protocol is then used to
determine where to connect to from the remote machine. Currently
the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
as a SOCKS server. Only root can forward privileged ports.
Dynamic port forwardings can also be specified in the configura‐
tion file.

You're specifying the same local port to forward from twice; Try -D 9697 on your second setup.

Am I right in thinking you've got your computer (computer A), and say two servers (A and B) which you can't connect to directly on a certain port and so want to tunnel to them over SSH?

If so, you create two tunnels from your machine (one to each target server) on different local ports using -L not -D, and then in your monitoring tool you connect to your local machine (no proxy settings) as if it was the remote server you want to check.